[openstack-dev] [puppet][operators] How to specify Keystone v3 credentials?
rmeggins at redhat.com
Mon May 4 23:35:27 UTC 2015
I'm currently working on Keystone v3 support in the openstack puppet
The way authentication works with the Icehouse branch is that
puppet-keystone reads the admin_token and admin_endpoint from
/etc/keystone/keystone.conf and passes these to the keystone command via
the OS_SERVICE_TOKEN env. var. and the --os-endpoint argument, respectively.
This will not work on a node where Keystone is not installed (unless you
copy /etc/keystone/keystone.conf to all of your nodes).
I am assuming there are admins/operators that have actually deployed
OpenStack using puppet on nodes where Keystone is not installed?
If so, how? How do you specify the authentication credentials? Do you
use environment variables? If so, how are they specified?
For Keystone v3, in order to use v3 for authentication, and in order to
use the v3 identity api, there must be some way to specify the various
domains to use - the domain for the user, the domain for the project, or
the domain to get a domain scoped token.
There is a similar issue when creating domain scoped resources like
users and projects. As opposed to editing dozens of manifests to add
domain parameters to every user and project (and the classes that call
keystone_user/tenant, and the classes that call those classes, etc.), is
there some mechanism to specify a default domain to use? If not, what
about using the same mechanism used today to specify the Keystone
The goal is that all keystone domain scoped resources will eventually
require specifying a domain, but that will take quite a while and I
would like to provide an incremental upgrade path.
More information about the OpenStack-dev